More forest trust related patches

Stefan (metze) Metzmacher metze at
Mon Apr 13 03:57:54 MDT 2015

Am 13.04.2015 um 09:29 schrieb Andrew Bartlett:
> On Sun, 2015-04-12 at 21:38 +0200, Stefan (metze) Metzmacher wrote:
>> Hi,
>> I moved a lot more stuff to the -ok branch (Note I also changed fixed some
>> of the dsdb_trust_* helper functions compared to the last patchset!)
>> It passed autobuild a few times and it's ready for master from my site.
>> Note that samba-tool domain trust create needs to generate a true
>> utf8 based password if --no-aes-keys is given, this is required
>> because our kerberos client code can't handle random utf16munged passwords
>> for arcfour-hmac-md5 pre-auth yet.
> Indeed.
>> However there're a few TODO's in the remaining patches.
>> It's mainly related to bug #11130, where we should allow
>> The same applies also for trust accounts (I guess it's just based on the
>> '$').
>> It's allowed as a client and also as a service principal.
>> I added some tests for it and hacked a mostly working (but ugly
>> implementation),
>> Andrew maybe you can work out a better fix :-)
> I'm really curious as to if this is related to samAccountName, or
> perhaps CN or dnsHostName as attributes.  I guess I need to do more
> testing. 

It's the sAMAccountName, I've tested with sAMAccountName != CN + '$'
and there was no dnsHostName attribute.

>> Note that winbindd uses MYDOMAIN at OTHERREALM for kinit and generates some
>> warnings
>> without the fix for bug #11130, but it still work fine.
>> Please review and push the -ok patches.
> I'll take a look.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list